Overview
- EXPMON's Haifei Li found that malicious PDFs trigger a zero-day in Adobe Reader as soon as they are opened on the latest build.
- VirusTotal uploads from November 2025, plus fresh samples, suggest a months-long campaign that uses Russian-language oil and gas lures.
- The PDFs use privileged Acrobat functions like util.readFileIntoStream and RSS.addFeed to read local files and other data and send it out.
- Li has verified data theft but not any follow-on code-execution or sandbox-escape payloads, and Adobe has not yet confirmed details or released a patch after being alerted this week.
- Until a fix is available, Li advises avoiding untrusted PDFs and urges defenders to block traffic with the 'Adobe Synchronizer' user-agent string.